diff options
author | Peder Bergebakken Sundt <pbsds@hotmail.com> | 2024-01-10 21:06:15 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-01-10 21:06:15 +0100 |
commit | dff635f38d01db6a3d534f019495245ec081ff6d (patch) | |
tree | 0fb99edb3dca393553b7615693eabe6c9f9ac1a9 /nixos | |
parent | 5fcfdd4990ab907895fe9bcb1e2e4083d92ca670 (diff) | |
parent | 5ee94c017070bf8fb6e074a34076db8a4cd51d7c (diff) |
Merge pull request #243169 from 2xsaiko/outgoing/krb5
nixos/krb5: cleanup, fix and RFC42-ify
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2405.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/config/krb5/default.nix | 369 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
-rw-r--r-- | nixos/modules/security/ipa.nix | 4 | ||||
-rw-r--r-- | nixos/modules/security/krb5/default.nix | 90 | ||||
-rw-r--r-- | nixos/modules/security/krb5/krb5-conf-format.nix | 88 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/system/kerberos/default.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/system/kerberos/heimdal.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/system/kerberos/mit.nix | 2 | ||||
-rw-r--r-- | nixos/tests/kerberos/heimdal.nix | 23 | ||||
-rw-r--r-- | nixos/tests/kerberos/mit.nix | 23 | ||||
-rw-r--r-- | nixos/tests/krb5/default.nix | 1 | ||||
-rw-r--r-- | nixos/tests/krb5/deprecated-config.nix | 50 | ||||
-rw-r--r-- | nixos/tests/krb5/example-config.nix | 140 | ||||
-rw-r--r-- | nixos/tests/nfs/kerberos.nix | 22 | ||||
-rw-r--r-- | nixos/tests/pam/pam-file-contents.nix | 2 |
17 files changed, 304 insertions, 524 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 566b97c58f4d8..648064643930a 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -158,6 +158,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support. +- The `krb5` module has been rewritten and moved to `security.krb5`, moving all options but `security.krb5.enable` and `security.krb5.package` into `security.krb5.settings`. + - Gitea 1.21 upgrade has several breaking changes, including: - Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*` - New instances of Gitea using MySQL now ignore the `[database].CHARSET` config option and always use the `utf8mb4` charset, existing instances should migrate via the `gitea doctor convert` CLI command. diff --git a/nixos/modules/config/krb5/default.nix b/nixos/modules/config/krb5/default.nix deleted file mode 100644 index df7a3f48236f0..0000000000000 --- a/nixos/modules/config/krb5/default.nix +++ /dev/null @@ -1,369 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.krb5; - - # This is to provide support for old configuration options (as much as is - # reasonable). This can be removed after 18.03 was released. - defaultConfig = { - libdefaults = optionalAttrs (cfg.defaultRealm != null) - { default_realm = cfg.defaultRealm; }; - - realms = optionalAttrs (lib.all (value: value != null) [ - cfg.defaultRealm cfg.kdc cfg.kerberosAdminServer - ]) { - ${cfg.defaultRealm} = { - kdc = cfg.kdc; - admin_server = cfg.kerberosAdminServer; - }; - }; - - domain_realm = optionalAttrs (lib.all (value: value != null) [ - cfg.domainRealm cfg.defaultRealm - ]) { - ".${cfg.domainRealm}" = cfg.defaultRealm; - ${cfg.domainRealm} = cfg.defaultRealm; - }; - }; - - mergedConfig = (recursiveUpdate defaultConfig { - inherit (config.krb5) - kerberos libdefaults realms domain_realm capaths appdefaults plugins - extraConfig config; - }); - - filterEmbeddedMetadata = value: if isAttrs value then - (filterAttrs - (attrName: attrValue: attrName != "_module" && attrValue != null) - value) - else value; - - indent = " "; - - mkRelation = name: value: - if (isList value) then - concatMapStringsSep "\n" (mkRelation name) value - else "${name} = ${mkVal value}"; - - mkVal = value: - if (value == true) then "true" - else if (value == false) then "false" - else if (isInt value) then (toString value) - else if (isAttrs value) then - let configLines = concatLists - (map (splitString "\n") - (mapAttrsToList mkRelation value)); - in - (concatStringsSep "\n${indent}" - ([ "{" ] ++ configLines)) - + "\n}" - else value; - - mkMappedAttrsOrString = value: concatMapStringsSep "\n" - (line: if builtins.stringLength line > 0 - then "${indent}${line}" - else line) - (splitString "\n" - (if isAttrs value then - concatStringsSep "\n" - (mapAttrsToList mkRelation value) - else value)); - -in { - - ###### interface - - options = { - krb5 = { - enable = mkEnableOption (lib.mdDoc "building krb5.conf, configuration file for Kerberos V"); - - kerberos = mkOption { - type = types.package; - default = pkgs.krb5; - defaultText = literalExpression "pkgs.krb5"; - example = literalExpression "pkgs.heimdal"; - description = lib.mdDoc '' - The Kerberos implementation that will be present in - `environment.systemPackages` after enabling this - service. - ''; - }; - - libdefaults = mkOption { - type = with types; either attrs lines; - default = {}; - apply = attrs: filterEmbeddedMetadata attrs; - example = literalExpression '' - { - default_realm = "ATHENA.MIT.EDU"; - }; - ''; - description = lib.mdDoc '' - Settings used by the Kerberos V5 library. - ''; - }; - - realms = mkOption { - type = with types; either attrs lines; - default = {}; - example = literalExpression '' - { - "ATHENA.MIT.EDU" = { - admin_server = "athena.mit.edu"; - kdc = [ - "athena01.mit.edu" - "athena02.mit.edu" - ]; - }; - }; - ''; - apply = attrs: filterEmbeddedMetadata attrs; - description = lib.mdDoc "Realm-specific contact information and settings."; - }; - - domain_realm = mkOption { - type = with types; either attrs lines; - default = {}; - example = literalExpression '' - { - "example.com" = "EXAMPLE.COM"; - ".example.com" = "EXAMPLE.COM"; - }; - ''; - apply = attrs: filterEmbeddedMetadata attrs; - description = lib.mdDoc '' - Map of server hostnames to Kerberos realms. - ''; - }; - - capaths = mkOption { - type = with types; either attrs lines; - default = {}; - example = literalExpression '' - { - "ATHENA.MIT.EDU" = { - "EXAMPLE.COM" = "."; - }; - "EXAMPLE.COM" = { - "ATHENA.MIT.EDU" = "."; - }; - }; - ''; - apply = attrs: filterEmbeddedMetadata attrs; - description = lib.mdDoc '' - Authentication paths for non-hierarchical cross-realm authentication. - ''; - }; - - appdefaults = mkOption { - type = with types; either attrs lines; - default = {}; - example = literalExpression '' - { - pam = { - debug = false; - ticket_lifetime = 36000; - renew_lifetime = 36000; - max_timeout = 30; - timeout_shift = 2; - initial_timeout = 1; - }; - }; - ''; - apply = attrs: filterEmbeddedMetadata attrs; - description = lib.mdDoc '' - Settings used by some Kerberos V5 applications. - ''; - }; - - plugins = mkOption { - type = with types; either attrs lines; - default = {}; - example = literalExpression '' - { - ccselect = { - disable = "k5identity"; - }; - }; - ''; - apply = attrs: filterEmbeddedMetadata attrs; - description = lib.mdDoc '' - Controls plugin module registration. - ''; - }; - - extraConfig = mkOption { - type = with types; nullOr lines; - default = null; - example = '' - [logging] - kdc = SYSLOG:NOTICE - admin_server = SYSLOG:NOTICE - default = SYSLOG:NOTICE - ''; - description = lib.mdDoc '' - These lines go to the end of `krb5.conf` verbatim. - `krb5.conf` may include any of the relations that are - valid for `kdc.conf` (see `man kdc.conf`), - but it is not a recommended practice. - ''; - }; - - config = mkOption { - type = with types; nullOr lines; - default = null; - example = '' - [libdefaults] - default_realm = EXAMPLE.COM - - [realms] - EXAMPLE.COM = { - admin_server = kerberos.example.com - kdc = kerberos.example.com - default_principal_flags = +preauth - } - - [domain_realm] - example.com = EXAMPLE.COM - .example.com = EXAMPLE.COM - - [logging] - kdc = SYSLOG:NOTICE - admin_server = SYSLOG:NOTICE - default = SYSLOG:NOTICE - ''; - description = lib.mdDoc '' - Verbatim `krb5.conf` configuration. Note that this - is mutually exclusive with configuration via - `libdefaults`, `realms`, - `domain_realm`, `capaths`, - `appdefaults`, `plugins` and - `extraConfig` configuration options. Consult - `man krb5.conf` for documentation. - ''; - }; - - defaultRealm = mkOption { - type = with types; nullOr str; - default = null; - example = "ATHENA.MIT.EDU"; - description = lib.mdDoc '' - DEPRECATED, please use - `krb5.libdefaults.default_realm`. - ''; - }; - - domainRealm = mkOption { - type = with types; nullOr str; - default = null; - example = "athena.mit.edu"; - description = lib.mdDoc '' - DEPRECATED, please create a map of server hostnames to Kerberos realms - in `krb5.domain_realm`. - ''; - }; - - kdc = mkOption { - type = with types; nullOr str; - default = null; - example = "kerberos.mit.edu"; - description = lib.mdDoc '' - DEPRECATED, please pass a `kdc` attribute to a realm - in `krb5.realms`. - ''; - }; - - kerberosAdminServer = mkOption { - type = with types; nullOr str; - default = null; - example = "kerberos.mit.edu"; - description = lib.mdDoc '' - DEPRECATED, please pass an `admin_server` attribute - to a realm in `krb5.realms`. - ''; - }; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - - environment.systemPackages = [ cfg.kerberos ]; - - environment.etc."krb5.conf".text = if isString cfg.config - then cfg.config - else ('' - [libdefaults] - ${mkMappedAttrsOrString mergedConfig.libdefaults} - - [realms] - ${mkMappedAttrsOrString mergedConfig.realms} - - [domain_realm] - ${mkMappedAttrsOrString mergedConfig.domain_realm} - - [capaths] - ${mkMappedAttrsOrString mergedConfig.capaths} - - [appdefaults] - ${mkMappedAttrsOrString mergedConfig.appdefaults} - - [plugins] - ${mkMappedAttrsOrString mergedConfig.plugins} - '' + optionalString (mergedConfig.extraConfig != null) - ("\n" + mergedConfig.extraConfig)); - - warnings = flatten [ - (optional (cfg.defaultRealm != null) '' - The option krb5.defaultRealm is deprecated, please use - krb5.libdefaults.default_realm. - '') - (optional (cfg.domainRealm != null) '' - The option krb5.domainRealm is deprecated, please use krb5.domain_realm. - '') - (optional (cfg.kdc != null) '' - The option krb5.kdc is deprecated, please pass a kdc attribute to a - realm in krb5.realms. - '') - (optional (cfg.kerberosAdminServer != null) '' - The option krb5.kerberosAdminServer is deprecated, please pass an - admin_server attribute to a realm in krb5.realms. - '') - ]; - - assertions = [ - { assertion = !((builtins.any (value: value != null) [ - cfg.defaultRealm cfg.domainRealm cfg.kdc cfg.kerberosAdminServer - ]) && ((builtins.any (value: value != {}) [ - cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths - cfg.appdefaults cfg.plugins - ]) || (builtins.any (value: value != null) [ - cfg.config cfg.extraConfig - ]))); - message = '' - Configuration of krb5.conf by deprecated options is mutually exclusive - with configuration by section. Please migrate your config using the - attributes suggested in the warnings. - ''; - } - { assertion = !(cfg.config != null - && ((builtins.any (value: value != {}) [ - cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths - cfg.appdefaults cfg.plugins - ]) || (builtins.any (value: value != null) [ - cfg.extraConfig cfg.defaultRealm cfg.domainRealm cfg.kdc - cfg.kerberosAdminServer - ]))); - message = '' - Configuration of krb5.conf using krb.config is mutually exclusive with - configuration by section. If you want to mix the two, you can pass - lines to any configuration section or lines to krb5.extraConfig. - ''; - } - ]; - }; -} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 36f34e50d595d..02832e656dc95 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -10,7 +10,6 @@ ./config/gtk/gtk-icon-cache.nix ./config/i18n.nix ./config/iproute2.nix - ./config/krb5/default.nix ./config/ldap.nix ./config/ldso.nix ./config/locale.nix @@ -309,6 +308,7 @@ ./security/duosec.nix ./security/google_oslogin.nix ./security/ipa.nix + ./security/krb5 ./security/lock-kernel-modules.nix ./security/misc.nix ./security/oath.nix diff --git a/nixos/modules/security/ipa.nix b/nixos/modules/security/ipa.nix index 49226ec38199c..3bf8b11f86261 100644 --- a/nixos/modules/security/ipa.nix +++ b/nixos/modules/security/ipa.nix @@ -117,8 +117,8 @@ in { config = mkIf cfg.enable { assertions = [ { - assertion = !config.krb5.enable; - message = "krb5 must be disabled through `krb5.enable` for FreeIPA integration to work."; + assertion = !config.security.krb5.enable; + message = "krb5 must be disabled through `security.krb5.enable` for FreeIPA integration to work."; } { assertion = !config.users.ldap.enable; diff --git a/nixos/modules/security/krb5/default.nix b/nixos/modules/security/krb5/default.nix new file mode 100644 index 0000000000000..5921982f954ca --- /dev/null +++ b/nixos/modules/security/krb5/default.nix @@ -0,0 +1,90 @@ +{ config, lib, pkgs, ... }: +let + inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule; + inherit (lib.types) bool; + + mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason; + mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name '' + The option `krb5.${name}' has been removed. Use + `security.krb5.settings.${name}' for structured configuration. + ''; + + cfg = config.security.krb5; + format = import ./krb5-conf-format.nix { inherit pkgs lib; } { }; +in { + imports = [ + (mkRemovedOptionModuleCfg "libdefaults") + (mkRemovedOptionModuleCfg "realms") + (mkRemovedOptionModuleCfg "domain_realm") + (mkRemovedOptionModuleCfg "capaths") + (mkRemovedOptionModuleCfg "appdefaults") + (mkRemovedOptionModuleCfg "plugins") + (mkRemovedOptionModuleCfg "config") + (mkRemovedOptionModuleCfg "extraConfig") + (mkRemovedOptionModule' "kerberos" '' + The option `krb5.kerberos' has been moved to `security.krb5.package'. + '') + ]; + + options = { + security.krb5 = { + enable = mkOption { + default = false; + description = mdDoc "Enable and configure Kerberos utilities"; + type = bool; + }; + + package = mkPackageOption pkgs "krb5" { + example = "heimdal"; + }; + + settings = mkOption { + default = { }; + type = format.type; + description = mdDoc '' + Structured contents of the {file}`krb5.conf` file. See + {manpage}`krb5.conf(5)` for details about configuration. + ''; + example = { + include = [ "/run/secrets/secret-krb5.conf" ]; + includedir = [ "/run/secrets/secret-krb5.conf.d" ]; + + libdefaults = { + default_realm = "ATHENA.MIT.EDU"; + }; + + realms = { + "ATHENA.MIT.EDU" = { + admin_server = "athena.mit.edu"; + kdc = [ + "athena01.mit.edu" + "athena02.mit.edu" + ]; + }; + }; + + domain_realm = { + "mit.edu" = "ATHENA.MIT.EDU"; + }; + + logging = { + kdc = "SYSLOG:NOTICE"; + admin_server = "SYSLOG:NOTICE"; + default = "SYSLOG:NOTICE"; + }; + }; + }; + }; + }; + + config = mkIf cfg.enable { + environment = { + systemPackages = [ cfg.package ]; + etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings; + }; + }; + + meta.maintainers = builtins.attrValues { + inherit (lib.maintainers) dblsaiko h7x4; + }; +} diff --git a/nixos/modules/security/krb5/krb5-conf-format.nix b/nixos/modules/security/krb5/krb5-conf-format.nix new file mode 100644 index 0000000000000..d01e47a40be05 --- /dev/null +++ b/nixos/modules/security/krb5/krb5-conf-format.nix @@ -0,0 +1,88 @@ +{ pkgs, lib, ... }: + +# Based on +# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html +# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html + +let + inherit (lib) boolToString concatMapStringsSep concatStringsSep filter + isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString; + inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path + str submodule; +in +{ }: { + type = let + section = attrsOf relation; + relation = either (attrsOf value) value; + value = either (listOf atom) atom; + atom = oneOf [int str bool]; + in submodule { + freeformType = attrsOf section; + options = { + include = mkOption { + default = [ ]; + description = mdDoc '' + Files to include in the Kerberos configuration. + ''; + type = coercedTo path singleton (listOf path); + }; + includedir = mkOption { + default = [ ]; + description = mdDoc '' + Directories containing files to include in the Kerberos configuration. + ''; + type = coercedTo path singleton (listOf path); + }; + module = mkOption { + default = [ ]; + description = mdDoc '' + Modules to obtain Kerberos configuration from. + ''; + type = coercedTo path singleton (listOf path); + }; + }; + }; + + generate = let + indent = str: concatMapStringsSep "\n" (line: " " + line) (splitString "\n" str); + + formatToplevel = args @ { + include ? [ ], + includedir ? [ ], + module ? [ ], + ... + }: let + sections = removeAttrs args [ "include" "includedir" "module" ]; + in concatStringsSep "\n" (filter (x: x != "") [ + (concatStringsSep "\n" (mapAttrsToList formatSection sections)) + (concatMapStringsSep "\n" (m: "module ${m}") module) + (concatMapStringsSep "\n" (i: "include ${i}") include) + (concatMapStringsSep "\n" (i: "includedir ${i}") includedir) + ]); + + formatSection = name: section: '' + [${name}] + ${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))} + ''; + + formatRelation = name: relation: + if isAttrs relation + then '' + ${name} = { + ${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))} + }'' + else formatValue name relation; + + formatValue = name: value: + if isList value + then concatMapStringsSep "\n" (formatAtom name) value + else formatAtom name value; + + formatAtom = name: atom: let + v = if isBool atom then boolToString atom else toString atom; + in "${name} = ${v}"; + in + name: value: pkgs.writeText name '' + ${formatToplevel value} + ''; +} diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 50f9272ac301f..111be7057afc0 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -1086,8 +1086,8 @@ in security.pam.krb5 = { enable = mkOption { - default = config.krb5.enable; - defaultText = literalExpression "config.krb5.enable"; + default = config.security.krb5.enable; + defaultText = literalExpression "config.security.krb5.enable"; type = types.bool; description = lib.mdDoc '' Enables Kerberos PAM modules (`pam-krb5`, @@ -1095,7 +1095,7 @@ in If set, users can authenticate with their Kerberos password. This requires a valid Kerberos configuration - (`config.krb5.enable` should be set to + (`config.security.krb5.enable` should be set to `true`). Note that the Kerberos PAM modules are not necessary when using SSS diff --git a/nixos/modules/services/system/kerberos/default.nix b/nixos/modules/services/system/kerberos/default.nix index 4ed48e463741a..486d4b49c195a 100644 --- a/nixos/modules/services/system/kerberos/default.nix +++ b/nixos/modules/services/system/kerberos/default.nix @@ -3,7 +3,7 @@ let inherit (lib) mkOption mkIf types length attrNames; cfg = config.services.kerberos_server; - kerberos = config.krb5.kerberos; + kerberos = config.security.krb5.package; aclEntry = { options = { diff --git a/nixos/modules/services/system/kerberos/heimdal.nix b/nixos/modules/services/system/kerberos/heimdal.nix index 837c59caa5620..4789e4790b4bc 100644 --- a/nixos/modules/services/system/kerberos/heimdal.nix +++ b/nixos/modules/services/system/kerberos/heimdal.nix @@ -4,7 +4,7 @@ let inherit (lib) mkIf concatStringsSep concatMapStrings toList mapAttrs mapAttrsToList; cfg = config.services.kerberos_server; - kerberos = config.krb5.kerberos; + kerberos = config.security.krb5.package; stateDir = "/var/heimdal"; aclFiles = mapAttrs (name: {acl, ...}: pkgs.writeText "${name}.acl" (concatMapStrings (( diff --git a/nixos/modules/services/system/kerberos/mit.nix b/nixos/modules/services/system/kerberos/mit.nix index 112000140453f..a654bd1fe7e1b 100644 --- a/nixos/modules/services/system/kerberos/mit.nix +++ b/nixos/modules/services/system/kerberos/mit.nix @@ -4,7 +4,7 @@ let inherit (lib) mkIf concatStrings concatStringsSep concatMapStrings toList mapAttrs mapAttrsToList; cfg = config.services.kerberos_server; - kerberos = config.krb5.kerberos; + kerberos = config.security.krb5.package; stateDir = "/var/lib/krb5kdc"; PIDFile = "/run/kdc.pid"; aclMap = { diff --git a/nixos/tests/kerberos/heimdal.nix b/nixos/tests/kerberos/heimdal.nix index 47f9d0285aef7..393289f7a92ca 100644 --- a/nixos/tests/kerberos/heimdal.nix +++ b/nixos/tests/kerberos/heimdal.nix @@ -1,5 +1,6 @@ import ../make-test-python.nix ({pkgs, ...}: { name = "kerberos_server-heimdal"; + nodes.machine = { config, libs, pkgs, ...}: { services.kerberos_server = { enable = true; @@ -7,16 +8,18 @@ import ../make-test-python.nix ({pkgs, ...}: { "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}]; }; }; - krb5 = { + security.krb5 = { enable = true; - kerberos = pkgs.heimdal; - libdefaults = { - default_realm = "FOO.BAR"; - }; - realms = { - "FOO.BAR" = { - admin_server = "machine"; - kdc = "machine"; + package = pkgs.heimdal; + settings = { + libdefaults = { + default_realm = "FOO.BAR"; + }; + realms = { + "FOO.BAR" = { + admin_server = "machine"; + kdc = "machine"; + }; }; }; }; @@ -39,4 +42,6 @@ import ../make-test-python.nix ({pkgs, ...}: { "kinit -kt alice.keytab alice", ) ''; + + meta.maintainers = [ pkgs.lib.maintainers.dblsaiko ]; }) diff --git a/nixos/tests/kerberos/mit.nix b/nixos/tests/kerberos/mit.nix index 7e427ffef0ba8..1191d047abbf0 100644 --- a/nixos/tests/kerberos/mit.nix +++ b/nixos/tests/kerberos/mit.nix @@ -1,5 +1,6 @@ import ../make-test-python.nix ({pkgs, ...}: { name = "kerberos_server-mit"; + nodes.machine = { config, libs, pkgs, ...}: { services.kerberos_server = { enable = true; @@ -7,16 +8,18 @@ import ../make-test-python.nix ({pkgs, ...}: { "FOO.BAR".acl = [{principal = "admin"; access = ["add" "cpw"];}]; }; }; - krb5 = { + security.krb5 = { enable = true; - kerberos = pkgs.krb5; - libdefaults = { - default_realm = "FOO.BAR"; - }; - realms = { - "FOO.BAR" = { - admin_server = "machine"; - kdc = "machine"; + package = pkgs.krb5; + settings = { + libdefaults = { + default_realm = "FOO.BAR"; + }; + realms = { + "FOO.BAR" = { + admin_server = "machine"; + kdc = "machine"; + }; }; }; }; @@ -38,4 +41,6 @@ import ../make-test-python.nix ({pkgs, ...}: { "echo alice_pw | sudo -u alice kinit", ) ''; + + meta.maintainers = [ pkgs.lib.maintainers.dblsaiko ]; }) diff --git a/nixos/tests/krb5/default.nix b/nixos/tests/krb5/default.nix index dd5b2f37202e8..ede085632c634 100644 --- a/nixos/tests/krb5/default.nix +++ b/nixos/tests/krb5/default.nix @@ -1,5 +1,4 @@ { system ? builtins.currentSystem }: { example-config = import ./example-config.nix { inherit system; }; - deprecated-config = import ./deprecated-config.nix { inherit system; }; } diff --git a/nixos/tests/krb5/deprecated-config.nix b/nixos/tests/krb5/deprecated-config.nix deleted file mode 100644 index aca29ae6ca2b2..0000000000000 --- a/nixos/tests/krb5/deprecated-config.nix +++ /dev/null @@ -1,50 +0,0 @@ -# Verifies that the configuration suggested in deprecated example values -# will result in the expected output. - -import ../make-test-python.nix ({ pkgs, ...} : { - name = "krb5-with-deprecated-config"; - meta = with pkgs.lib.maintainers; { - maintainers = [ eqyiel ]; - }; - - nodes.machine = - { ... }: { - krb5 = { - enable = true; - defaultRealm = "ATHENA.MIT.EDU"; - domainRealm = "athena.mit.edu"; - kdc = "kerberos.mit.edu"; - kerberosAdminServer = "kerberos.mit.edu"; - }; - }; - - testScript = - let snapshot = pkgs.writeText "krb5-with-deprecated-config.conf" '' - [libdefaults] - default_realm = ATHENA.MIT.EDU - - [realms] - ATHENA.MIT.EDU = { - admin_server = kerberos.mit.edu - kdc = kerberos.mit.edu - } - - [domain_realm] - .athena.mit.edu = ATHENA.MIT.EDU - athena.mit.edu = ATHENA.MIT.EDU - - [capaths] - - - [appdefaults] - - - [plugins] - - ''; - in '' - machine.succeed( - "diff /etc/krb5.conf ${snapshot}" - ) - ''; -}) diff --git a/nixos/tests/krb5/example-config.nix b/nixos/tests/krb5/example-config.nix index 9a5c3b2af2490..33bed481b39fc 100644 --- a/nixos/tests/krb5/example-config.nix +++ b/nixos/tests/krb5/example-config.nix @@ -4,78 +4,77 @@ import ../make-test-python.nix ({ pkgs, ...} : { name = "krb5-with-example-config"; meta = with pkgs.lib.maintainers; { - maintainers = [ eqyiel ]; + maintainers = [ eqyiel dblsaiko ]; }; nodes.machine = { pkgs, ... }: { - krb5 = { + security.krb5 = { enable = true; - kerberos = pkgs.krb5; - libdefaults = { - default_realm = "ATHENA.MIT.EDU"; - }; - realms = { - "ATHENA.MIT.EDU" = { - admin_server = "athena.mit.edu"; - kdc = [ - "athena01.mit.edu" - "athena02.mit.edu" - ]; + package = pkgs.krb5; + settings = { + includedir = [ + "/etc/krb5.conf.d" + ]; + include = [ + "/etc/krb5-extra.conf" + ]; + libdefaults = { + default_realm = "ATHENA.MIT.EDU"; }; - }; - domain_realm = { - "example.com" = "EXAMPLE.COM"; - ".example.com" = "EXAMPLE.COM"; - }; - capaths = { - "ATHENA.MIT.EDU" = { - "EXAMPLE.COM" = "."; + realms = { + "ATHENA.MIT.EDU" = { + admin_server = "athena.mit.edu"; + kdc = [ + "athena01.mit.edu" + "athena02.mit.edu" + ]; + }; }; - "EXAMPLE.COM" = { - "ATHENA.MIT.EDU" = "."; + domain_realm = { + "example.com" = "EXAMPLE.COM"; + ".example.com" = "EXAMPLE.COM"; }; - }; - appdefaults = { - pam = { - debug = false; - ticket_lifetime = 36000; - renew_lifetime = 36000; - max_timeout = 30; - timeout_shift = 2; - initial_timeout = 1; + capaths = { + "ATHENA.MIT.EDU" = { + "EXAMPLE.COM" = "."; + }; + "EXAMPLE.COM" = { + "ATHENA.MIT.EDU" = "."; + }; }; - }; - plugins = { - ccselect = { - disable = "k5identity"; + appdefaults = { + pam = { + debug = false; + ticket_lifetime = 36000; + renew_lifetime = 36000; + max_timeout = 30; + timeout_shift = 2; + initial_timeout = 1; + }; + }; + plugins.ccselect.disable = "k5identity"; + logging = { + kdc = "SYSLOG:NOTICE"; + admin_server = "SYSLOG:NOTICE"; + default = "SYSLOG:NOTICE"; }; }; - extraConfig = '' - [logging] - kdc = SYSLOG:NOTICE - admin_server = SYSLOG:NOTICE - default = SYSLOG:NOTICE - ''; }; }; testScript = let snapshot = pkgs.writeText "krb5-with-example-config.conf" '' - [libdefaults] - default_realm = ATHENA.MIT.EDU - - [realms] - ATHENA.MIT.EDU = { - admin_server = athena.mit.edu - kdc = athena01.mit.edu - kdc = athena02.mit.edu + [appdefaults] + pam = { + debug = false + initial_timeout = 1 + max_timeout = 30 + renew_lifetime = 36000 + ticket_lifetime = 36000 + timeout_shift = 2 } - [domain_realm] - .example.com = EXAMPLE.COM - example.com = EXAMPLE.COM - [capaths] ATHENA.MIT.EDU = { EXAMPLE.COM = . @@ -84,25 +83,32 @@ import ../make-test-python.nix ({ pkgs, ...} : { ATHENA.MIT.EDU = . } - [appdefaults] - pam = { - debug = false - initial_timeout = 1 - max_timeout = 30 - renew_lifetime = 36000 - ticket_lifetime = 36000 - timeout_shift = 2 - } + [domain_realm] + .example.com = EXAMPLE.COM + example.com = EXAMPLE.COM + + [libdefaults] + default_realm = ATHENA.MIT.EDU + + [logging] + admin_server = SYSLOG:NOTICE + default = SYSLOG:NOTICE + kdc = SYSLOG:NOTICE [plugins] ccselect = { disable = k5identity } - [logging] - kdc = SYSLOG:NOTICE - admin_server = SYSLOG:NOTICE - default = SYSLOG:NOTICE + [realms] + ATHENA.MIT.EDU = { + admin_server = athena.mit.edu + kdc = athena01.mit.edu + kdc = athena02.mit.edu + } + + include /etc/krb5-extra.conf + includedir /etc/krb5.conf.d ''; in '' machine.succeed( diff --git a/nixos/tests/nfs/kerberos.nix b/nixos/tests/nfs/kerberos.nix index a7d08bc628c62..1bace4058be59 100644 --- a/nixos/tests/nfs/kerberos.nix +++ b/nixos/tests/nfs/kerberos.nix @@ -1,15 +1,17 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: let - krb5 = - { enable = true; - domain_realm."nfs.test" = "NFS.TEST"; + security.krb5 = { + enable = true; + settings = { + domain_realm."nfs.test" = "NFS.TEST"; libdefaults.default_realm = "NFS.TEST"; - realms."NFS.TEST" = - { admin_server = "server.nfs.test"; - kdc = "server.nfs.test"; - }; + realms."NFS.TEST" = { + admin_server = "server.nfs.test"; + kdc = "server.nfs.test"; + }; }; + }; hosts = '' @@ -32,7 +34,7 @@ in nodes = { client = { lib, ... }: - { inherit krb5 users; + { inherit security users; networking.extraHosts = hosts; networking.domain = "nfs.test"; @@ -48,7 +50,7 @@ in }; server = { lib, ...}: - { inherit krb5 users; + { inherit security users; networking.extraHosts = hosts; networking.domain = "nfs.test"; @@ -128,4 +130,6 @@ in expected = ["alice", "users"] assert ids == expected, f"ids incorrect: got {ids} expected {expected}" ''; + + meta.maintainers = [ lib.maintainers.dblsaiko ]; }) diff --git a/nixos/tests/pam/pam-file-contents.nix b/nixos/tests/pam/pam-file-contents.nix index 2bafd90618e97..accaa4cc70a94 100644 --- a/nixos/tests/pam/pam-file-contents.nix +++ b/nixos/tests/pam/pam-file-contents.nix @@ -7,7 +7,7 @@ import ../make-test-python.nix ({ pkgs, ... }: { nodes.machine = { ... }: { imports = [ ../../modules/profiles/minimal.nix ]; - krb5.enable = true; + security.krb5.enable = true; users = { mutableUsers = false; |